The Salesloft Drift data breach exposed customer support and account records from more than 700 organizations, including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, TransUnion, Workday, and dozens more. If you have ever contacted the sales or support team of any of these companies, your name, email, phone number, and correspondence may have been stolen. Here is what happened and the steps to take right now.
What Happened
Between August 8 and August 18, 2025, the threat actor tracked as UNC6395 (also known as "Icarus" and closely tied to the ShinyHunters extortion group) exploited compromised OAuth tokens issued to the Salesloft Drift chatbot integration for Salesforce. Because Drift was authorized to read data across many companies' Salesforce environments, one stolen set of tokens gave attackers access to the customer data of every organization that had ever connected the Drift chatbot to Salesforce.
The attackers systematically exported large volumes of data from more than 700 organizations, primarily focused on Salesforce support cases, contact records, and account data. Investigations have continued into 2026 as more affected companies confirm exposure and mail notification letters to their customers.
Why this breach is different
Most breaches expose the customers of a single company. Salesloft Drift is a supply-chain breach: a compromised integration used by hundreds of companies. That means you may receive breach notifications from several companies over months as each one finishes its own investigation.
What Data Was Stolen
The stolen data varies by company because each organization stored different information in Salesforce. Confirmed exposed fields across affected companies include:
- Full name and email address
- Phone number
- Company name and job title
- Business address
- Support case text, including the content of tickets and correspondence with agents
- Sales opportunity notes and internal comments about the customer
- Plaintext credentials embedded in support cases (AWS keys, Snowflake tokens, VPN passwords)
For a subset of companies, more sensitive fields were exposed. TransUnion notified 4.4 million people that their Social Security numbers, dates of birth, and addresses were included. Other companies confirmed exposure of customer support conversation history but no financial data.
Confirmed Affected Companies
Notable organizations that have publicly confirmed being caught in the Salesloft Drift breach include:
- Cloudflare
- Palo Alto Networks
- Zscaler
- Proofpoint
- Tenable
- Qualys
- Dynatrace
- HackerOne
- Workday
- CyberArk
- Lucid Software
- TransUnion
- SpyCloud
- Nutanix
- Rubrik
Dozens more have confirmed exposure and the list continues to grow as forensic investigations complete. If you have contacted the support or sales team of any large B2B SaaS or security vendor between 2023 and August 2025, treat your data as potentially exposed even if you have not yet received a notification.
Who Is Affected
You are likely in the affected group if any of the following are true:
- You filed a support ticket, chatted with a Drift widget, or exchanged sales emails with any of the confirmed affected companies
- You received a breach notification letter or email referencing the Salesloft Drift, Drift, or third-party integration incident
- You are a customer of TransUnion, in which case you should follow our TransUnion breach guide as well
Step 1: Change Passwords Referenced in Old Support Tickets
If you ever pasted a password, API key, or configuration file into a support ticket, treat every credential from that ticket as compromised. Rotate them immediately:
- Rotate any AWS access keys, GitHub tokens, database credentials, or API keys you may have shared with support
- Change passwords for any admin, service, or vendor account that appeared in support correspondence
- Revoke and reissue any OAuth tokens or SAML integration secrets discussed with support
Step 2: Watch for Highly Targeted Phishing
The stolen support case text lets attackers reference real details from your history to make phishing sound legitimate. A typical attack might quote a real support ticket number, a case reference, or a project name to trick you into clicking a malicious link.
Signs of a Salesloft-fueled phishing attempt
Watch for emails, texts, or calls that reference specific support tickets, product configurations, sales conversations, or internal project names. Legitimate vendors will never ask you to click a link and re-enter credentials to "verify" past support cases. If in doubt, log in directly rather than following any link.
Is your data already out there?
Leaked data ends up on broker sites and in scammers' hands. Run a free 60-second scan to see your exposure — then let us remove it.
Run a free scan★★★★★ 4.8/5 · Trusted by thousands of families
Step 3: Enable Multi-Factor Authentication Everywhere
Because the Salesloft attack itself started by abusing OAuth tokens, the attackers now have detailed knowledge of your workflow with each affected vendor. Turn on phishing-resistant multi-factor authentication for every account you can, prioritizing:
- Vendor admin consoles (Cloudflare, Zscaler, Okta, etc.)
- Cloud provider accounts (AWS, Azure, Google Cloud)
- Email, calendar, and collaboration tools
- Password managers and identity providers
Use hardware security keys or an authenticator app rather than SMS codes wherever possible. See our guide on setting up two-factor authentication everywhere.
Step 4: Audit Third-Party Integrations
The Drift breach exploited a legitimate app that had been granted permission to read Salesforce data. Similar OAuth-token abuse can target any SaaS integration. Review every third-party app connected to your business or personal accounts and revoke any you no longer use.
- Salesforce: Setup > Connected Apps OAuth Usage
- Google Workspace: myaccount.google.com/permissions
- Microsoft 365: myapps.microsoft.com > Manage Access
- GitHub: Settings > Applications > Authorized OAuth Apps
Step 5: Remove Your Business Contact Data From Data Brokers
Attackers who now hold your business email, phone number, and job title will combine them with public data broker records to build a complete social engineering profile. Data brokers like ZoomInfo, Apollo.io, Lusha, RocketReach, and Cognism sell exactly this kind of profile to anyone with a credit card. Opting out of these B2B brokers dramatically limits what attackers can build on top of the stolen support data.
PrivacyOn removes your information from 100+ data brokers, including the B2B people-search sites attackers use to enrich stolen breach data, and monitors for re-listing so your data does not silently return.
Step 6: If You Are a Business, Notify Your Security Team
If your organization used Salesloft Drift with Salesforce during the exposure window, treat this as an active incident, not a customer-only breach. Salesloft has revoked all Drift OAuth tokens, but the underlying support case data has already been extracted. Your security team should:
- Confirm the Drift-Salesforce integration was removed
- Rotate every credential that ever appeared in a support case or Slack thread now known to have synced with Drift
- Search Salesforce audit logs for the UNC6395 indicators of compromise published by Google Threat Intelligence Group
- Notify affected customers if regulatory disclosure applies
Frequently Asked Questions
How do I know if I am affected by the Salesloft Drift breach?
The primary signal is a notification letter or email from a company you have done business with, referencing a third-party integration or Salesforce-related incident in August 2025. You can also check the ongoing tracker at driftbreach.com and search haveibeenpwned.com by email address. If you are a customer of TransUnion, Cloudflare, Palo Alto Networks, or any other confirmed affected company, assume exposure.
Was my password stolen in the Salesloft Drift breach?
Direct account passwords for the affected vendors were not part of the Salesforce data. However, if you ever pasted a password, API key, or configuration file into a support ticket, that credential is now exposed. Rotate any credentials that appeared in past support correspondence and review our advice on checking whether your password has been leaked.
Do I need to file a fraud alert or freeze my credit?
For most affected companies, no financial or Social Security data was in the exposed Salesforce records. If your notification specifically mentions Social Security numbers, dates of birth, or financial account numbers (as in the TransUnion case), freeze your credit at all three bureaus immediately. Otherwise, focus on password rotation, MFA, and phishing awareness.
What is UNC6395 and are they still active?
UNC6395 is a threat cluster tracked by Google's Threat Intelligence Group, closely tied to the broader ShinyHunters extortion collective. The group specializes in OAuth-token abuse against SaaS integrations. They remain active in 2026 and continue to publish and monetize stolen data on dark web forums.
Should I stop using SaaS chatbots and integrations?
No, but you should treat every OAuth grant as a durable access token. Audit integrations quarterly, remove apps you no longer use, and prefer vendors that support scoped, revocable, short-lived tokens. The Salesloft Drift incident shows that a single compromised integration can cascade across hundreds of downstream companies.
Reduce Your Breach Fallout With PrivacyOn
The Salesloft Drift breach is a reminder that your personal and professional data is only as safe as the weakest integration used by any company you interact with. PrivacyOn continuously removes your information from 100+ data brokers, monitors the dark web for your exposed details, and covers up to 5 family members on a single plan starting at $8.33 per month. The next supply-chain breach will happen. Make sure it finds less about you to steal.